{"schema_version":"1.7.2","id":"OESA-2026-2921","modified":"2026-07-09T12:51:32Z","published":"2026-07-09T12:51:32Z","upstream":["CVE-2026-49432","CVE-2026-49434","CVE-2026-49877","CVE-2026-50734","CVE-2026-52760","CVE-2026-53916","CVE-2026-53917"],"summary":"activemq security update","details":"The most popular and powerful open source messaging and Integration Patterns server.\r\n\r\nSecurity Fix(es):\n\nImproper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.\n\nA remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure.\nThis issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.\n\n\n\n\nUsers are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.(CVE-2026-49432)\n\nImproper Input Validation vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.\n\nAn attacker that has access to publish or modify entries in LDAP that match the configured searchBase and searchFilter can instantiate denied transports inside the broker JVM. This can be used to fetch an attacker URL and spawn a second BrokerService inside the same JVM.\nThis issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7.\n\n\nUsers are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.(CVE-2026-49434)\n\nImproper Authorization vulnerability in Apache ActiveMQ.\n\nAn authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins.\nThis issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.\n\nUsers are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.(CVE-2026-49877)\n\nMemory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All.\n\nAn unauthenticated network attacker can cause a broker DoS by sending a crafted WireFormatInfo frame with a malicious large size value. The value is not validate and causes the broker to attempt allocation during pre-auth negotiation which can trigger OOM and crash the broker.\nThis issue affects Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7.\n\nUsers are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.(CVE-2026-50734)\n\nImproper Neutralization of Input During Web Page Generation (&apos;Cross-site Scripting&apos;) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console.\n\nThe browse page in the web console renders a message Id directly without sanitization. This allows an authenticated producer to send a message with a JMS message ID that has been crafted to contain HTML/JavaScript such that when an administrator browses the queue in the Web Console, the payload executes in their browser.\nThis issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Web Console: before 5.19.8, from 6.0.0 before 6.2.7.\n\nUsers are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.(CVE-2026-52760)\n\nMemory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.\n\n\nAn unauthenticated client that opens a STOMP NIO connection can send header bytes that never terminate which makes the broker buffer them without limit, exhausting the JVM heap. \nThis issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.\n\nUsers are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.(CVE-2026-53916)\n\nMemory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker.\n\nAn authenticated user can cause a broker DoS by sending a crafted OpenWire Message with a large encoded size value for the map. OpenWire message property maps are unmarshaled without size validation which can trigger OOM and crash the broker.\nThis issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7.\n\nUsers are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.(CVE-2026-53917)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP3","name":"activemq","purl":"pkg:rpm/openEuler/activemq&distro=openEuler-24.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.19.8-1.oe2403sp3"}]}],"ecosystem_specific":{"noarch":["activemq-5.19.8-1.oe2403sp3.noarch.rpm","activemq-javadoc-5.19.8-1.oe2403sp3.noarch.rpm"],"src":["activemq-5.19.8-1.oe2403sp3.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2921"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49432"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49434"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49877"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50734"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52760"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53916"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53917"}],"database_specific":{"severity":"High"}}
